Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

How many weeks are there in a light year?

devel / comp.protocols.kerberos / Re: Using PKINIT with ECC

SubjectAuthor
o Re: Using PKINIT with ECCGoetz Golla

1
Re: Using PKINIT with ECC

<mailman.4.1704982855.2322.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=455&group=comp.protocols.kerberos#455

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder3.eternal-september.org!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: mit...@sec4mail.de (Goetz Golla)
Newsgroups: comp.protocols.kerberos
Subject: Re: Using PKINIT with ECC
Date: Thu, 11 Jan 2024 15:20:45 +0100
Organization: TNet Consulting
Lines: 35
Message-ID: <mailman.4.1704982855.2322.kerberos@mit.edu>
References: <8984fe41-f9a0-434b-a09c-df2bc88125dc@sec4mail.de>
<ae76ed5c-1399-401e-988c-ed2dbdfff6e7@mit.edu>
<81bc4460-b88a-4dfe-b538-e22805a086ea@sec4mail.de>
<202311191733.3AJHXASl018607@hedwig.cmf.nrl.navy.mil>
<414fe2a9-56ad-4401-b72a-4c002405e56c@sec4mail.de>
<202311242047.3AOKlYk3019409@hedwig.cmf.nrl.navy.mil>
<ffeca0f8-2646-4c63-88b2-e696f52bf24b@sec4mail.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="16739"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla Thunderbird
Cc: kerberos@mit.edu
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=pHOLwFyo;
dkim=pass (2048-bit key,
unprotected) header.d=sec4mail.de header.i=@sec4mail.de header.a=rsa-sha256
header.s=default header.b=IqAss1cd
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=bistcR/q6b5Ef8mVYbzEf9q9DbSxaOG6svx128z2VSWxXH4w9XI8KwP0HF/0N/9cHxDT1+GsdoiYWvlkZUUqrW1UHRDOypAKZge30r53Ea3O6oAAKE8o/mgSUZHQ0lZMKzueRlG0YRqGBkxDHMuYcU/qI3f3NjnPykdAGEGUIBw9J3itbhCi4I+PKfNPk8iOAh34YBVcPyRRbxeDt5WH7bZFsyFuD2JGBJ0z7EGvaQ5d1h77PjjfkzLJ//f5iVcnldjkpUMJjj4IBOvO8HGJl/NgnEV7MYHTQc7qxPoyWwBxhvK/KrodnTsDyxhqAsHcKX8pSyzlmil+q7D6CD+/7w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=JV0eTYFiH8224VfRrbCa86oXTM8ARSIWc9C1FK/tyv4=;
b=YYLAT0wVl4SyOEJBrlN5LXbuFKlRULWrKrBnqGzaZri4bw45QJ0emO4MPvTQQ/kmzy+WrxqiioQg6cASSWBhtfF/cP2z28jF086gTtVxA8zv3L/rpfeYFLLr41klT1Q3MSOlnPv524nr22bundBN1lvyD9+8W+Gt4bHeBYZxInk6FQYItVdodLyvZHdWdhXkietiwJYrg+jh7uzi6FtXxU03tz7HksiVF9bDE0vXlzY0+2FWDiYbQ5Vozr4E5ZLKc4RtiPp3/o2fTHYL5Tk69mNsSiMtoTgZlS1VmH2m3HfekYmpUvlxaJMIBUuMCeO886byvKyA2he5u0Ql8DYNNA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
31.220.85.254) smtp.rcpttodomain=mit.edu smtp.mailfrom=sec4mail.de;
dmarc=bestguesspass action=none header.from=sec4mail.de; dkim=pass (signature
was verified) header.d=sec4mail.de; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=JV0eTYFiH8224VfRrbCa86oXTM8ARSIWc9C1FK/tyv4=;
b=pHOLwFyoIpnbTcI0ysnjq+V3iEPwrGUgej4qpvNCh+I6xzzImT//kvRQXlkI46JxqzGoWMMKnsX1YgEvCM/Sg95vRon8MseAzwDLBPR4oxArfNFhP508jI40+0L6ojH/eKxtdAGYHIaS4Sokj5xyd41MHDMAQp2cNLw2Sh7tsIg=
Authentication-Results: spf=pass (sender IP is 31.220.85.254)
smtp.mailfrom=sec4mail.de; dkim=pass (signature was verified)
header.d=sec4mail.de; dmarc=bestguesspass action=none header.from=sec4mail.de;
Received-SPF: Pass (protection.outlook.com: domain of sec4mail.de designates
31.220.85.254 as permitted sender) receiver=protection.outlook.com;
client-ip=31.220.85.254; helo=vmd109154.contaboserver.net; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sec4mail.de;
s=default; t=1704982846;
bh=tw2ZrtLPpgG6b5Kg7IrJr2u8iVOM03vCjVHmzaYBhKs=;
h=Date:Subject:To:Cc:References:From:In-Reply-To:From;
b=IqAss1cdSicdWEBlH9z+Dldf3cZvkpbpidPjY3sGs3q9J6kWJvqu1UkO+PZYW9dss
PI+HTRNV5HwIphD725QbWDjUfx39Gdj7HZqmIvSP68LOk4KA1+YwjiK9UAKcRmuf9B
2aiC2DNIvpZ4xD0M3Gz3vBIxr4bduuLb43fyywDT/EwgrdLNsH1u9qcAUV60WMtxoG
0t66BiScf6cKHI7djYHpHp/UrIboSR6A6m+oMss//nK0nS7v8QeKZMBwb6WZZW2+0k
uZU+htXRcqMWsmNFQPQrbNeCLUNZ5G2ixmviroWgCPWgviwIsx6Mm+ZJJd8t5WA/K6
Xy+WKG54tUihg==
Content-Language: en-US
In-Reply-To: <202311242047.3AOKlYk3019409@hedwig.cmf.nrl.navy.mil>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CO1PEPF000042A7:EE_|DM8PR01MB6952:EE_
X-MS-Office365-Filtering-Correlation-Id: 94478359-973f-49a2-5847-08dc12b08144
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 5/JGCvyXgcwmwCsNpux0ljVOURVygPThxweNWCxP3mcYD99owWvMGzsoWp9/Jj+ogJJ4vxS/7uNnxDP3yb+Dcmyf4K8zDIJl7PBElPDK11YQQDzn21H1Zi0K8LfX44uclcRgwR7XiTcdO7+IE9vRqzi9inlWJrqH7yqPujLlLy5tZ+1eEkUbD+zWFeqEze3Abc79dkvt00fZLemJUfLbwZ9ePh3c8+qK6wfgsauuqD7qeGPhmlW7mPrA+35tFbI9EugZqA/H+YdQ5L0OlIiX+Ftv1MW+aJF7wUirE1/xQObwzNQfdvyOTyxqlq5c3V5XtqRA2BC7+XWwYWh2wXThZyNSAgj8L4vfttC5Qif8qXGvNKqEEDHTq9EDCPOYmhetYgGnXsd+Z7/sJTmje3dMVeXcexUPc0okEwkvrakCbqr1cM2MsqxGhiTKaDj5goBN+JR37sbo7oZ+xkdIjgjTrSGPHsEcK9AmMQFYvPGU8KcHDDNU/QZbu/yV/V4I4Jz6jLjoWGF/fUkXmx5qKtEGyU4SJvI/BIfBMVgYVZQyUqae/ljg8TIUNNdglnjrHDddvtQvTa6aStJBFGW1fnq7FXFdRs11e9lIwQ/ASuPQSurlQEoLzNDSdHtgRaVzoDj1LwBmaGw15aA9yy+AxOIJqJlvyerLAUibW/lPkfyIkx8hmKRLgII5yKVqzh82z1yyyp1ogcv8k33Nz/0u/dKQWw==
X-Forefront-Antispam-Report: CIP:31.220.85.254; CTRY:DE; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:vmd109154.contaboserver.net;
PTR:vmd109154.contaboserver.net; CAT:NONE;
SFS:(13230031)(4636009)(136003)(376002)(396003)(346002)(39860400002)(64100799003)(451199024)(61400799012)(48200799006)(31686004)(6266002)(498600001)(53546011)(336012)(2616005)(956004)(26005)(31696002)(7636003)(356005)(7596003)(86362001)(36756003)(2906002)(3480700007)(83380400001)(5660300002)(6862004)(70586007)(4326008)(68406010)(6966003)(8676002)(786003)(316002)(43740500002);
DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Jan 2024 14:20:46.8458 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 94478359-973f-49a2-5847-08dc12b08144
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1PEPF000042A7.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR01MB6952
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <ffeca0f8-2646-4c63-88b2-e696f52bf24b@sec4mail.de>
X-Mailman-Original-References: <8984fe41-f9a0-434b-a09c-df2bc88125dc@sec4mail.de>
<ae76ed5c-1399-401e-988c-ed2dbdfff6e7@mit.edu>
<81bc4460-b88a-4dfe-b538-e22805a086ea@sec4mail.de>
<202311191733.3AJHXASl018607@hedwig.cmf.nrl.navy.mil>
<414fe2a9-56ad-4401-b72a-4c002405e56c@sec4mail.de>
<202311242047.3AOKlYk3019409@hedwig.cmf.nrl.navy.mil>
 by: Goetz Golla - Thu, 11 Jan 2024 14:20 UTC

On 11/24/23 21:47, Ken Hornstein wrote:
>>> However, I believe Yubico provides a PKCS#11 module for Yubikeys; have
>>> you tried that? The OpenSC people usually do a good job in terms of
>>> supporting a wide variety of cards but depending on how old the particular
>>> version of OpenSC you are using is you may be running into a compatibility
>>> issue.
>>>
>>> --Ken
>> Indeed the module provided by Yubico solved the issue. It is called
>> ykcs11 and is readily available in the linux package managers.
> I am a LITTLE surprised it worked! The MIT PKINIT plugin hard-codes
> the mechanism in the request; I guess the Yubico library ignores the
> mechanism given to it, which seems strange to me.
>
> I have to ask ... are you SURE that it's using ECC? Because the code that
> uses the PKCS#11 library is actually generating a PKCS#1 digest. I was
> under the impression that ECC signatures are in a different format, so
> I am puzzled how it works at all.

We had it working in November with Yubico's libykcs11 in a lab and in
production tested by two independent people. Testing it again this year
it failed. We are in the process of finding out what exactly we have
tested in November.

I am really confused now. I thought that the problem was in the opensc
code and replacing it with Yubico's libykcs11, which officially supports
ECC, should fix it.

Now you seem to suggest that the problem is in the Kerberos code ?

Regards,

Goetz

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor